Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 84cfde229ce05f44944df1237c4e9465c04c67d3^! / . / property_contexts
commit84cfde229ce05f44944df1237c4e9465c04c67d3[log] [tgz]
authormukesh agrawal <quiche@google.com>Fri Apr 15 11:10:06 2016 -0700
committermukesh agrawal <quiche@google.com>Tue Apr 19 13:27:43 2016 -0700
tree4e9c6f5b6904c2e4596a51504c2734923bd06272
parent70f6c34e92d9273db6d4425ee77bf209985129a1 [diff] [blame]
limit shell's access to log.* properties

Restrict the ability of the shell to set the log.*
properties. Namely: only allow the shell to set
such properities on eng and userdebug builds.

The shell (and other domains) can continue to
read log.* properties on all builds.

While there: harmonize permissions for log.* and
persist.log.tag. Doing so introduces two changes:
- log.* is now writable from from |system_app|. This
  mirrors the behavior of persist.log.tag, which is
  writable to support "Developer options" ->
  "Logger buffer sizes" -> "Off".
  (Since this option is visible on user builds, the
  permission is enabled for all builds.)
- persist.log.tag can now be set from |shell| on
  userdebug_or_eng().

BUG=28221972
TEST=manual (see below)

Testing details
- user build (log.tag)
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag
  <blank line>
  $ adb bugreport | grep log.tag.foo
  [  146.525836] init: avc:  denied  { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0
  [  146.525878] init: sys_prop: permission denied uid:2000  name:log.tag.foo
- userdebug build (log.tag)
  $ adb shell getprop log.tag.foo
  <blank line>
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag.foo
  V
- user build (persist.log.tag)
  $ adb shell getprop | grep log.tag
  <no match>
  - Developer options -> Logger buffer sizes -> Off
  $ adb shell getprop | grep log.tag
  [persist.log.tag]: [Settings]
  [persist.log.tag.snet_event_log]: [I]

Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75

diff --git a/property_contexts b/property_contexts
index 1329854..e634165 100644
--- a/property_contexts
+++ b/property_contexts

@@ -32,7 +32,7 @@
 debug.                  u:object_r:debug_prop:s0
 debug.db.               u:object_r:debuggerd_prop:s0
 dumpstate.              u:object_r:dumpstate_prop:s0
-log.                    u:object_r:shell_prop:s0
+log.                    u:object_r:log_prop:s0
 service.adb.root        u:object_r:shell_prop:s0
 service.adb.tcp.port    u:object_r:shell_prop:s0
 
@@ -40,7 +40,7 @@
 persist.debug.          u:object_r:persist_debug_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
 persist.logd.security   u:object_r:device_logging_prop:s0
-persist.log.tag         u:object_r:logd_prop:s0
+persist.log.tag         u:object_r:log_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0